Securing The Linux Web Server Via 2012 PDF

MASTER'S THESIS
Securing the Linux Web Server via the

Linux Netfilter/Iptable Firewall
Information Security Education
Andrews Narteh Tetteywayo

Wonder Yao Stephen Akpabi
Master (120 credits)

Master of Science in Information Security
Luleå University of Technology

Department of Computer Science, Electrical and Space Engineering
Securing the Linux Web Server via the Linux Netfilter/Iptable
Firewall: Information Security Education
Master Thesis
by
Akpabi, Wonder Yao Stephen

wonakp-0@student.ltu.se
&
Tetteywayo, Andrews Narteh

andtet-0@student.ltu.se
LULEÅ UNIVERSITY OF TECHNOLOGY

Department of Computer Science, Electrical and Space Engineering
Division of Computer and Systems Sciences
LTU © 2012, Sweden
Akpabi & Tetteywayo, 2012
Acknowledgement
The authors, Wonder Yao Stephen Akpabi and Andrews Narteh Tetteywayo of the Lulea
University of Technology, wish to thank our supervisor, Prof. Tero Päivärinta who provided
the necessary guidance and coaching throughout this work, and co-supervisor, Todd Booth,
who was always there to assist with the technical details of this work. In most cases, Todd
Both would go out of his way just to make sure that his students succeeded in their work.
We also wish to thank our colleague students who through their positive criticisms and
contributions provided useful information for the successful completion of this work.
i
Preface
This research was in partial fulfilment of the requirement for a Master of Science in
Information Security (MSc Information Security) degree at the Department of Computer
Science, Electrical and Space Engineering at Luleå Tekniska Universitet (LTU), Sweden.
The research was performed under the supervision of Professor Tero Päivärinta at LTU from
August 2011 to June 2012. In no order of importance, the authors of this research are
Andrews Narteh Tetteywayo (ANT) and Wonder Akpabi Yao Stephen (WAYS). Both
authors contributed equally to the success of this work.
ANT and WAYS would like to thank Professor Tero Päivärinta for his supervision and
guidance coupled with his frequent comments on our work. We are also grateful for the
technical support received from co-supervisor, Todd Booth.
Andrews Narteh Tetteywayo (ANT)
Wonder Akpabi Yao Stephen (WAYS),
LTU © 2012.
ii
Table of Contents
Acknowledgement..................................................................................................................... i
Preface ...................................................................................................................................... ii
Abstract .................................................................................................................................... v
CHAPTER ONE ...................................................................................................................... 1
1.0 Introduction ............................................................................................................... 1
1.1 Background Information ........................................................................................ 1
1.2 Netfiter/Iptable in Brief ......................................................................................... 3
1.3 Problem Statement ................................................................................................. 5
1.4 Purpose of and Scope of Study .............................................................................. 7
1.5 Research Question ................................................................................................. 8
1.6 Delimitations .......................................................................................................... 9
1.7 Structured of the Work .......................................................................................... 9
CHAPTER TWO ................................................................................................................... 11
2.0 Technological Concept ............................................................................................ 11
2.1 Virtualisation Technology ................................................................................... 11
2.2 Virtual Laboratory ............................................................................................... 12
2.3 Information Security Education ........................................................................... 13
2.4 Web Servers ......................................................................................................... 15
CHAPTER THREE ................................................................................................................ 17
3.0 Literature Review .................................................................................................... 17
3.1 Literature Review Process ................................................................................... 17
3.2 Related Work ....................................................................................................... 17

iii
CHAPTER FOUR .................................................................................................................. 26
4.0 Methodology............................................................................................................ 26
4.1 Technology Analysis ........................................................................................... 26
4.2 Technical Requirements and Architecture ........................................................... 28
CHAPTER FIVE .................................................................................................................... 29
5.0 Implementation and Analysis of Lab ...................................................................... 29
5.1 Design of Lab and Settings...................................................................................... 30
5.3 Our Work ................................................................................................................. 32
5.3.1 Implementation on the Ubuntu Server (Host) .................................................. 32
5.3.1.1 Iptables User Interface .................................................................................... 33
5.3.2 Implementation on Windows 7 (client) computer ........................................... 36
5.3.2.1 Nmap/Zenmap .................................................................................................. 37
5.3.2.2 Metasploit Framework ..................................................................................... 40
5.3.3 A FRAMEWORK FOR DESIGNING SECURITY PROJECTS .................... 42
5.3.4 Results and Analysis ........................................................................................ 43
CHAPTER SIX ...................................................................................................................... 46
6.0 Discussion and Conclusion...................................................................................... 46
6.1 Future Work............................................................................................................. 49
References .............................................................................................................................. 50
iv
Abstract
Firewalls are one of the core components of a network security implementation. In the case
of Linux, the commonest firewall technique is the Netfilter/Iptable. In this work we
investigated the Linux Netfilter/Iptable firewall technology. This work was carried out as
part of the virtual war hack lab project at Lulea University of Technology. The virtual war
hack lab project aims at providing lab access to distance information security students. In a
traditional course in information security, laboratory exercises and assignments are typically
conducted in an isolated computer lab where security problems that may occur are unable to
affect other computers on campus. Besides, this does not make it feasible for students
(particularly distance students) to practice information security anytime anywhere. To
somewhat overcome this challenge, the virtual war hack laboratory has been innovated at
the Lulea University of Technology, which will allow information security students to get
familiar with security terminologies and tools via the Internet. Extending this lab
experiences to distance students through virtualisation will inevitably call for proper means
of securing the servers. A web server in a virtualized environment can sometimes pose
problems as far as defense is concern as virtual users do not have access to the hardware
resources the service provider is offering. This work teaches the use of Netfilter/Iptable
firewall in securing the Linux web server (apache) in a virtualized environment.
v
CHAPTER ONE
1.0 Introduction
1.1 Background Information
Information security is commonly thought of as a process and not a product. Quite a number
of efforts have been made to teach information security in one way or the other. For
instance, (Scheckler 2003, Hu & Meinel 2004, Hu & Cordel 2004, Aboutabl 2006, Nabhen
& Maziero 2006, Kumar et al. 2010, Glumich & Kropa 2012) have made different several
efforts in their works to teach information security. Information security has become a major
concern of every organisation, regardless of size. This concern is compounded in a
virtualised environment. It is therefore crucial to apply all security techniques to secure
servers used in a virtualised environment like a virtual lab for instance. Standard security
implementations usually employ some form of dedicated mechanism to control access
privileges and restrict network resources to users who are authorized, identifiable, and
traceable. Red Hat Enterprise Linux includes several tools to assist administrators and
security engineers with network-level access control issues.
Firewall is one of the core components of a network security implementation. Several
vendors market firewall solutions catering to all levels of the marketplace - from home users
protecting one PC to data centre solutions safeguarding vital enterprise information.
Firewalls can be stand-alone hardware solutions, such as firewall appliances by Cisco,
Nokia, and Sonicwall. Vendors such as Checkpoint, McAfee, and Symantec have also
developed proprietary software firewall solutions for home and business markets.
A common software firewall on Linux systems is Netfilter/Iptables. The Netfilter/Iptable
firewall is a stateful filtering firewall. The Iptable interface in the words of Purdy (2004) “is
the most sophisticated ever offered on Linux and makes Linux an extremely flexible system
for any kind of network filtering.” The focus of this work was on the use of Netfilter/Iptable
firewall in securing the Linux web server (apache) in a virtualized environment.

1
This work was carried out as part of the virtual war hack lab project at Lulea University of
Technology. The virtual war hack lab project aims at providing access to practical
information security education laboratory exercises and assignments for all information
security teachers and students, particularly, distance students.
In an online class, students often cannot physically attend labs on campus. To somewhat
overcome this challenge, the virtual war hack laboratory project was launched. In a
traditional course in information security, lab experiences are typically conducted in an
isolated computer lab where security problems that may occur are unable to affect other
computers on campus. Also, students are able to experiment with security software without
worrying that their experiment may impact computer systems outside the isolated lab.
Again, students can evaluate security of different operating systems, attempt to compromise
the security of computer systems, and install additional security mechanisms without
concerns that their actions may affect computers outside the laboratory.
The virtual war hack lab is expected to create a platform for distance students to perform
laboratory operations through virtualization. Apart from being remotely accessible, the
virtual lab will also be remotely configurable, thereby allowing each student of information
security to independently configure network resources for security purposes.
Unlike the traditional laboratory settings, security in a virtual laboratory is of great concern.
The contribution of the authors - who happen to be students of the University (LTU) at the
time of this project - to this virtual lab project, was to demonstrate to students the securing
of a Linux web server against attacks, using Netfilter/Iptable.
This study therefore looked at the use of Netfilter/Iptable firewall in securing the Linux web
server (apache) in a virtualized environment.
2
1.2 Netfiter/Iptable in Brief

At this point before we move on to the very details of the work, we deem it fit to briefly
explore the framework of the Netfilter/Iptable to give readers an appreciation of the subject
matter.
The Netfilter framework is located in the Linux kernel IP layer; it provides a set of hooks to
intercept and manipulate the packets. “The Netfilter/Iptables IP packet filtering system is a
powerful tool that is used to add, edit and remove the rules that a firewall follows and
consists of while making packet filtering decisions. These rules are stored in special-purpose
packet filtering tables integrated in the Linux kernel. Inside the packet filtering tables the
rules are grouped together in what are known as chains” (Vairagade, 2002). Netfilter
framework provides the packet processing function such as: packet filtering, packet
forwarding, connection tracking, Network Address Translation (NAT), and packet mangling
for packet modification, etc. (Chen et al., 2010). The Netfilter/Iptable framework defines
five major hooks which are used to intercept and manipulate packets (Purdy, 2004; Chen et
al., 2010, Zhong & Huaqing, 2012). These are PREROUTING, FORWARDING,
POSTROUTING, INPUT and OUTPUT chains. Packets are received to local network
service through the PREROUTING and INPUT chains. Packets that are going out use the
OUTPUT and POSTROUTING chains. Following is an excerpt from Chen et al,. 2010 on
the Netfilter/Iptables framework.
Netfilter framework provides the iptables utilities for users to configure the Netfilter
framework, e.g., firewall rules configuration. Netfilter firewall manages the firewall rules
using the linked-list data structure. So every packet must check all firewall rules until it
finds the rule-matching result. As a consequence, the number of rules and incoming packets
determine firewall’s computation complexity. With the growth of rules and incoming
packets, CPUs would spend considerable time on the Netfilter firewall; this situation would
influence the overall performance of network application.
The forward hook enables packets that flow through a gateway computer; coming in one
interface and going right back out another to be processed. The INPUT hook allows packets
to be processed just before they are delivered to a local process, whiles the OUTPUT hook
3
allows the packets to be processed just after they are generated by a local process. It is
possible to process packets just before they leave a network interface through the
POSTROUTING hook, and the PREROUTING allows packets to be processed just as they
arrive from a network interface (Purdy, 2004).
There are three tables inherent in iptables, and these are filter, mangle and nat (Purdy, 2004).
These in-built tables are preconfigured with chains corresponding to one or more of the
hook points. Nat is used with connection tracking to redirect connections for network
address translation, usually based on source or destination addresses. Its in-built chains are:
OUPUT, POSTROUTING, and PREROUTING. The filter is used to set policies for the type
of traffic allowed into, through, and out of the computer. Usually, iptables operate on chains
within this table by default. The built-in chains for this table are FORWARD, INPUT, and
OUTPUT. Mangle is used for specialised packet alteration, such as stripping off IP options.
The built-in chains are FORWARD, INPUT, and OUTPUT, POSTROUTING, and
PREROUTING (Purdy, 2004).
Each of the tables described above has chains. Usually, these chains are initially empty. It is
also possible to create custom chains to organize the rules that are created. The policy of a
chain (i.e ACCEPT, DROP, RETURN, etc) determines the fate of packets that reach the end
of the chain without otherwise being sent to a specific target (Purdy, 2004).
The iptable has rules which have targets that tell the kernel what to do with packets coming
from certain sources, heading from certain destination or have a certain protocol types
(Vairagade, 2002). Parckets that match a rule are allowed to pass through by the help of the
ACCEPT target, whiles those that do not match a rule are blocked and killed through the use
of DROP or REJECT targets. Both the match and the target portion of the rule are optional
to the extent that if there are no match criteria, all packets are considered to match, and if
there is no target specification, nothing is done to the packets (Purdy, 2004). “The rules are
grouped in chains, according to the types of packets they deal with. Rules dealing with
4
incoming packets are added to the INPUT chain. Rules dealing with outgoing packets are
added to the OUTPUT chain. And rules dealing with packets being forwarded are added to
the FORWARD chain. These three chains are the main chains built-in by default inside
basic packet-filtering tables” (Vairagde, 2002). Packets pass through chains, and are
presented to the chains‟ rules one at a time in order. If the packet does not match the rule‟s
criteria, the packet moves to the next rule in the chain. If a packet reaches the last rule in a
chain and still does not match, the chains policy is applied to it (Purdy, 2004).
1.3 Problem Statement
Defending a web server in a virtualized environment can sometimes be a problem as virtual
users do not have access to the hardware resources the service provider is offering. You
cannot have a dedicated hardware firewall for your virtual web server, so in deciding which
type of firewall to use to ensure the security of information systems (such as web servers) in
such environment, it is important to consider tools like Netfilter/Iptable.
The Linux web server is believed to be the most common web server today. This goes to
suggest that all things being equal, it is likely to be the web server with the most security
concerns. It is common knowledge that hackers or cyber terrorists would not waste time
attacking less popular information systems at the expense of the most popular ones.
Consequently, securing such web servers has become very essential. However keeping
information systems secure is a process, not an outcome. It is a process which is difficult to
adopt under normal circumstances; the problem is compounded when it spans several job
descriptions. All the system level security in the world is rendered useless by insecure web-
applications. Securing Linux web servers can seem like a daunting task, but it can be made
much easier by breaking the process into manageable portions, such as just taking Linux
Netfilter/Iptable firewall and exploring it in an information security education programme.
5
Information security education has become so vital in recent years, especially given the
high rate of security breaches in both big and small organisations. Translating information
security knowledge acquired in the classroom into practical knowledge useful in the field of
work will be a mirage if students rely solely on theory and do not do practical assignments
and hands-on exercises. As (Hu, J., & Cordel, D. 2004) put it that measuring success of IT
security should not only depend on the use of new technologies but should involve both IT
personnel and IT security training since most attacks occur due to ignorance of
countermeasures on the part of people. That is to say that practical information security
skills and knowledge are lacking. People know more of the theory than the practical
knowledge. It is therefore necessary that information security students have access to
laboratory setup to carry out practical assignments and hands-on projects. Most of these labs
in many educational institutions are physical in nature; that is to say, they are situated on the
campuses. This means that distance students may not have access to these information
security labs. However, in today‟s highly technological and globalised world, online
education or e-learning is becoming the order of the day. Most students are finding that
medium of education convenient and useful, since it offers them the opportunity and the
luxury to work and study at the same time. It is therefore important that information security
laboratory experiments should be accessible online, so that distance students can also carry
out hands-on practical projects.
Moving the conventional information security laboratory onto the Internet is not only hard
because many requirements of conventional laboratories are difficult to be satisfied in an
open sharable environment (Hu & Meinel, 2004), but also an expensive thing to do, in terms
of investing in the right technologies. The alternative option is virtual information security
laboratory.
6
1.4 Purpose of and Scope of Study
This study sought to provide information security educators as well as students with a
practical knowledge in deploying Netfilter/Iptables based firewall for ensuring security of a
web server in a virtualised environment and have an assessment on its efficiency and
performance by launching different types of known attacks against apache web servers.
Apart from the Linux Apache Web Server being the most frequently used web server it is a
free, fully configurable Web server. It has been the most popular since April 1996 and as at
March 2012 it was estimated to serve about 57.46% of website activities and 65.24% of the
top servers across all domains (McCool, 2012).
A firewall is a program that performs packet filtering, allowing the server administrator to
determine which packets of data are accepted or rejected from a given network interface
based on criteria such as source, destination, protocol and other specifics found in the
headers contained in the packet of data. There are primarily two main types of firewalls -
Network-based firewall and Host-based firewall. A network-based firewall is implemented
at an identified location in the network path and protects all computers on the internal
network from computers on the external network. In the case of the host-based firewall, the
firewall is installed on an individual computer to protect it from activity occurring on its
network. The Netfilter/Iptable firewall that this work explored falls in the category of the
latter. The focus of this work was on the use of Netfilter/Iptable firewall in securing the
Linux web server (apache) in a virtualized environment. The Netfilter/Iptable firewall is a
stateful filtering firewall.
Given the fact that the Linux web server is the most common web server today motivated
the choice of Linux Netfilter/Iptable in this work. Of the many Linux distributions available,
we decided to use the Ubuntu distribution. Our choice of Ubuntu was informed by the fact
that it is one of the few of the widely used distribution for similar attack and defends
exercises.
7
The research considered using a Netfilter/Iptable firewall to determine which packets should
be allowed or rejected by the Linux web server. We used Netfilter/Iptables to secure a Linux
web server in an online information security laboratory. This laboratory would be made
available for both distance and campus students to do hands-on experiment by carrying out
attack exercises. The work presented students with the opportunity to learn how to configure
Iptable as a firewall. But more importantly, this work was designed for security educators
who would use it to teach learners. All this would be possible in the virtualised laboratory.
1.5 Research Question
As indicated under the problem statement, defending a web server in a virtualized
environment can sometimes be a problem as virtual users do not have access to the hardware
resources the service provider is offering. It is possible to have both a dedicated hardware
firewall and a software firewall for your virtual web server, but in deciding which type of
firewall to use to ensure the security of information systems (such as web servers) in such
environment, we considered tools like Netfilter/Iptable which is a software firewall.
Again, as intimated or alluded to under the problem statement above, information security
students need hands-on experience or if you like, knowledge in their training and education.
There is no disputing the fact that information security education has become so crucial in
recent years due to the skyrocketing nature of security breaches that bedevil organisations on
regular basis. The security situation in the world is very appalling. It is however not
surprising when stakeholders in the security education begin to explore all avenues in order
to increase the practical knowledge of security students. One of such avenues is the
implementation of online information security laboratory where distance students and
campus students alike can have access to practical security exercises at any time. Under this
initiative, information security students will have the opportunity to have hands-on
8
experience regarding the vulnerabilities and security tools they are taught in class and read
about in books.
The objective of this work is therefore to demonstrate the security of the apache webserver
using tools like Netfilter/Iptable in a virtualised environment. In order to achieve the stated
objective, the question was examined carefully:
How can students secure the Linux web server via the Linux netfilter/iptable firewall
in a virtualized environment?
In answering this question we demonstrated how to discover vulnerabilities in the server,
and then moved on to explain how to secure the server. We did all these in a virtual
laboratory environment.
1.6 Delimitations
This research aims at securing webservers - both virtual and physical servers. There are
many security tools and firewalls available, but for the purposes of this work, we limited our
choice to only Netfilter/Iptables. Regarding the choice of Linux distribution, we have
limited this study to only Ubuntu. We shall use Netfilter/Iptables to secure a Linux web
server in a real virtualised environment followed by attacks lunched against the Linux web
server. The research focused on simulating the web server after attacks bypass service
provider‟s protection to ensure C.I.A. By doing this, an extra layer of security will be
created to deepen security on the webserver.
1.7 Structured of the Work
The work has been structured into six chapters. The first chapter dealt with the introduction,
background information, and description of problem area, scope of work and research aims
and questions. Chapter two covered the technological concept or background where a brief
9
account about the virtualisation technology was given. In addition, the chapter briefly
described some key words used in the work, such as web servers, virtual laboratories, and
information security education. Chapter three presented the literature review process as well
as the related works in the area. The fourth chapter presented the methodology used in the
study, whiles chapter five covered the implementation and analysis of results. In the final
chapter, we discussed the result, drew conclusion and recommended areas for future
research.
10
CHAPTER TWO
2.0 Technological Concept

At this section we presented the technological concept of this research work. The discussion
covers virtualisation technology, web servers, information security education and virtual
laboratories, which goes along way to throw more light on the technology used in this work.
2.1 Virtualisation Technology

This work employed the technology of virtualisation for information security education.
Primarily, the authors are interested in the use of technology - such as virtual machines - in
the teaching and learning of information security. Virtualisation allows for the creation and
execution of multiple virtual machines, running separately or in isolation, side-by-side on
the same physical computer (Duignan & Hall, 2008, Li, 2010, Li & Mohammed, 2008,
Rose, 2004). Fundamentally, each of the virtual computers has its own set of hardware -
though virtual in nature - upon which operating systems and application software can be
loaded. This suggests that each virtual machine runs like a physical machine making it
possible for users to install operating systems and execute applications in the virtual
machines in the same manner as they would on physical machines (Li & Mohammed, 2008).
Virtualisation technology is believed to have been used first by IBM in the 1960s to offer
concurrent timesharing of their mainframe systems (Creasy, 1981). In the course of time,
virtual machine monitor was introduced as a software abstraction layer to manage the
mainframe hardware and to support virtual machines (Goldberg, 1974). This virtual machine
monitor (VMM) which is a software layer that abstracts the physical resources for use by the
virtual machines, can be best described as the host to the guest virtual machine (Rose, 2004),
and goes “hand-in-hand with virtual machines”. The abstraction power of the virtual
machine monitor makes it possible to run multiple virtual machines on the same system.
Rose (2004) further explains and illustrates the power of the virtual machine monitor as a
11
tool that is able to first of all, provide “a virtual processor and other virtualised versions of
system devices such as I/O devices, storage, memory”, and secondly provide isolation
between the virtual machines it hosts so that problems in one cannot affect another.
Principally, there are two main trends in the development of virtual machine systems which
are “full system virtualization, where an entire hardware architecture is replicated virtually;
and paravirtualization, where an operating system is modified so that it can be run
concurrently with other operating systems that have also been designed for
paravirtualization” (Rose, 2004).
There are a number of virtualisation technologies in use over the past few years of its advent
on the information technology landscape. Of the numerous virtualisation technologies
available, VMware and VirtualBox are the most commonly used ones, probably because
they are easy to use and support multiple flavours of different operating systems such as
Windows, Linux or Unix (Li, 2010). In this work we adopted the VMware technology.
2.2 Virtual Laboratory
Unlike the conventional laboratories, virtual laboratories use the power of computerized
models and simulations (Scheckler, 2003) and the power of the Internet or the Wold Wide
Web (www) to carry out practical experiments and projects. We can talk of “a collection of
digital simulations supported by discussion forums, video demonstrations” (Scheckler,
2003). In information security virtual labs, distance students are able to access and
participate in real time teaching of practical security lessons. The virtual laboratory replaces
physical machines in the traditional laboratories with virtual machines on one host server
and eliminates the limitation that users have to complete security exercises on the local
12
operating system (Hu, J., & Cordel, D. 2004). This makes it possible to move the entire security
laboratory and its tutoring server to the Internet and shared by remote users.
It is prudent and efficient to create unit virtual machine architecture to serve information
security and networking procedures effectively. When designed properly it reduces the load
in information technology in keeping the facility and provides students with a consistent
environment encountered in two or more courses and help students with hands-on-desk
activities in both labs and classroom. The virtual environment would help students to enroll
in networking courses in information security program regardless of distance to have
practical lab experience. A virtual laboratory is a computing system that allows sharing
physical resources available in the lab with remote users connected on the Internet,
Giuseppe C. & Giorgio B. (2003).
2.3 Information Security Education
The information security education area is concerned with information security curriculum
design at the national and institutional levels, innovative approaches to teaching information
security, evaluations of existing approaches, emerging needs for information security
curriculum, innovative approaches to faculty development and capacity building, challenges
faced by institutions and programs, and other topics relevant to information security
education (Morales & Dark , 2007). For people in their own environment, there are not any
information security standards available. But it could be agreed that information protection
in either organizational or personal setting would have to be based on some sort of general
standards. It is therefore obvious that information security education would be influenced
positively by standards such as ISO/IEC 27002. The ISO/IEC 27002 suggests the use of
information security controls as countermeasures to escape, counteract or reduce security
risks from informational resources. Information security controls consist of operational,
physical and technical controls. Operational controls are of administrative, managerial and
13
procedural nature relating to human roles in the information security education. Technical
controls involve technological countermeasures for example, user authentication by logging
into the system to access to the resources. Physical controls provides physical layer of
protection for example, providing a lock to the server room doors (Reid, et al., 2011).
Information security education has become so vital in recent years, especially given the
high rate of security breaches in both big and small organisations. Translating information
security knowledge acquired in the classroom into practical knowledge useful in the field of
work will be a mirage if students rely solely on theory and do not do practical assignments
and hands-on exercises. As (Hu, J., & Cordel, D. 2004) put it, “success of IT security not only
depends on the evolution of technologies, but also relies on the knowledge of IT-Personnel
and the level of their IT-security education. Unfortunately, many attacks succeed because
people have no knowledge about vulnerabilities of their systems and do not know how to
defend them against attacks.” It is therefore necessary that information security students
have access to laboratory setup to carry out practical assignments and hands-on projects.
Most of these labs in many educational institutions are physical in nature; that is to say, they
are situated on the campuses. This means that distance students may not have access to these
information security labs. However, in today‟s highly technological and globalised world,
online education or e-learning is becoming the order of the day. Most students are finding
that medium of education convenient and useful, since it offers them the opportunity and the
luxury to work and study at the same time. It is therefore important that information security
laboratory experiments should be accessible online, so that distance students can also carry
out hands-on practical projects. Moving the conventional information security laboratory
onto the Internet is not only hard because many requirements of conventional laboratories
are difficult to be satisfied in an open sharable environment (Hu & Meinel, 2004), but also
an expensive thing to do, in terms of investing in the right technologies. The alternative
option is virtual information security laboratory.
14
2.4 Web Servers
A web server is primarily used for communications. It uses web browsers as its client whiles
using protocols such as HyperText Transfer Protocol (HTTP) to enhance performance. It is
also referred to as HTTP Server. The web server responds to every request it receives from
the web browser. These responses include a status code to inform the browser if the request
was successful. Should the response be successful then it will include the requested page or
document else a reason for failure will be sent by the web browser or client. Therefore, two
main elements that can affect the performance of any web server are:
Number of requests that the server must process
Number of data (packets) that the server must transfer.
A Web Server provides the ability to host websites or take advantage of web based
applications. In the simplest terms it is where a website that can be viewed through the
Internet physically resides. Real Time can provide the following features on a Linux Web
Server:
128 bit Encryption
SSL 3.0
CGI support
Squid Web Cache and Proxy
Virtual Hosting, etc.
According to Martin F. and Carey L (1997) “improving the performance of Web servers is
vital to the goal of reducing response times. Researchers at Boston University are
developing a tool that takes detailed measurements of Web servers activity, to help identify
performance bottle-neck.” However, caching appears to be useful in improving web server
performance due to the large number of requests for a small number of documents,
15
concentration of references within these documents and their sizes, Martin F. & Carey L.
(1997). Haakon B. et al (2000) explained that if two or more servers have the same number
of active connections, then the load balancer will opt for the server with lowest server
identifier. Meaning servers with very low numbers will be preferred to servers with high
numbers.
The security of web servers is as important as its performance. Though there are many
technologies used in securing web servers, ranging from firewalls to intrusion detection
systems, organisations cannot boast of adequate security measures to protect their
information systems against modern sophisticated technologies used by hackers. Every now
and then, the “bad boys” are deploying new sophisticated technologies to frustrate the “good
boys”. Among the recommendations made by National Institute of Standards and
Technology (ITL Bulletin, 1999) to secure web servers, are the proper design, installation
and configuration of firewall - both external and internal firewalls - , proper and relevant
packet filtering technologies and strategies, and the use of intrusion detection systems - both
network-based and home-based intrusion detection systems. It is true that there is no
complete security solution to information systems and for that matter, web servers, but
having the required knowledge about how to defend or provide security is a significant step
towards ensuring adequate security for information systems. It is not untrue that in most
instances, “attackers are able to penetrate most web servers because the systems
administrators are either not knowledgeable about web server security or did not take the
time to properly secure the system” (ITL Bulletin, 1999). If web site administrators who
were once students, and continue to be students in many other ways, were trained properly,
probably through hands-on security exercises, some of the avoidable security breaches
would have been somewhat mitigated. Providing or developing a practical methodology for
training information security students is therefore a step in the right direction.
16
CHAPTER THREE
3.0 Literature Review

3.1 Literature Review Process
Knowledge about previous work done in this area is very crucial. In this section we
reviewed previous research work done in the area. In our search for relevant literature, we
relied heavily on Google Scholar, IEEE and ACM databases. In the literature search process
we used terms such as: Netfilter/Iptables, information security education, Linux server,
virtual labs, web servers and found some related works. We have included a table (Table 1)
below to explain further what we considered in selecting the literature that we reviewed for
this work.
3.2 Related Work
Quite a number of previous works have used Netfilter/Iptables as firewall in information
security, computer and network security education. The areas covered by this review
includes Netfilter/Iptable, information security education includes and virtualisation
technology.
3.2.1 Netfilter/Iptable
The Netfilter/Iptable firewall is one of the common software firewalls available. The
firewall has been used in different ways to teach information security. Some research works
were interested in the performance of the firewall regarding its ability to process network
traffic when implemented on a web server (Chen et al, 2010). To the authors, the speed at
which the netfilter processes packets exacts a toll on the performance of the web server. In
their bid to improve the performance of the server, they developed the NetfilterOffloader - a
high speed firewall - which offloads the Netfilter firewall‟s functions, thereby improving
17
performance. Accardi et al, (2005) also acknowledged the performance challenges of the
Netfilter firewall, and consequently proposed and developed a hybrid firewall which
includes an application layer Netfilter firewall and a simple filtering firewall. The work
indicated that the hybrid firewall performed better regarding the processing of traffic.
Clearly, the works exposed the performance weakness of the Netfilter firewall and gave
alternatives to overcome those challenges. What the two works could not clearly establish
was whether or not the security of the webser server offered by the new firewalls was better
than that of the Netfilter firewall. Kumar et al (2010) would rather explore the strengths of
Netfilter/Iptable in overcoming the challenges of Intrution Detection Systems (IDSs). The
authors believe that the challenges of IDSs could be overcome by configuring
Netfilter/Iptable to perform the functions of real time prevention after the attacks have been
detected by the sytem. They proposed “a real time system that consists of an intrusion
detection system based on Self organising maps, for tracing down the malicious packets
along with handling those packets through an intrusion prevention system in the Linux
environment” Kumar et al (2010). In the proposed system, the authors configured
Netfilter/Iptable to perform the functions of real time prevention after attacks have been
detected by the system. Since most intrusion prevention systems rely on predefined
databases of attack signatures, they are not able perform effectively when the attack
signature is not in the predefined signature. Besides, they do not prevent internal attacks.
The system proposed by Kumar et al (2010) made use of Netfilter/Iptable updating feature
to overcome this drawbacks of the traditional intrusion prevention systems.
From the reviewed literature, one trend that can be observed is the teaching of how to
configure firewalls using Iptables, through series of laboratory exercises (Dobrilovic &
Odadžic, 2006; Kretzer & Frank 2005; Glumich & Kropa, 2012; O‟Leary, 2006). Though
they pursued this trend - did an extensive work on providing exercises that teach students
how to configure Iptables for packet filtering and setting up of a firewall in Linux, Hu J. et
18
al (2006) introduced something that seem to depart from the trend - the authors used Iptable
to control access to virtual machines in their laboratory setup. They explored how virtual
machines are used to provide safe user work environments. In this work various effort were
made to ensure the security of the online security education system (Tele-Lab). Unlike many
other security exercises where users or students are allowed a privilege right on virtual
machines, which in turn introduces a security risk, the authors of the Tele-Lab designed and
implemented “security isolation” which allows reasonable or allowable accessibility to
virtual machines while constraining risks in a safe scope. One of such security isolations was
“network level isolation”. In this security measure, Iptable was used to enforce the following
access control policies:
• Local connections and local network services are allowed on a virtual machine.
• A virtual machine is not allowed to initialize any network connection to the other virtual
machines on the host.
• A virtual machine is allowed to accept or respond to the connections for the virtual
network computing (VNC) service if this virtual machine has been assigned.
• Except for those connections mentioned in Policy 3, a virtual machine is not allowed to
launch any forms of connections for the Internet.
3.2.2 Information Security Education

Information security education has been intensively researched over the years. Many
researchers have focused on improving the methods of information security education using
various methods. Some papers have implemented pedagogical modules that exposed
students to information security education methods (Dobrilovic & Odadžic, 2006; Damiani,
et al, 2006; Aboutabl, 2006; O‟Leary, 2006; Damiani, et al., 2006; Glumich & Kropa, 2012).
In the IWAR laboratory for instance (Lathrop, S. D. et al., 2003), the authors designed and
implemented different networks laboratories for information security education, where
19
students were taught the concept of firewall from defensive perspective. Though the IWAR
laboratory is biased towards military context, the concept and principle behind the lab could
be applied in any information warfare laboratory. Besides the IWAR laboratory system,
other well known information security education programmes such as the Tele-Lab-Security
architecture (Hu J. et al., 2006; Willems, & Meinel, 2008), CyberDefense lab (Aboutabl,
2006) among others have over the years, made various effort to improve information
security education.
Very instrumental in information security education are computer laboratories, and most of
these laboratories are dedicated computer laboratories or networks. In spite of the fact that
dedicated computer laboratories are good environments for hands-on security education, it is
important to note that they are very expensive to design, implement and maintain, for they
require expensive hardware and software investments. Beyond the cost element, it is not
untrue that most security exercises require system level access to the operating system
(Willems, & Meinel, 2008), which has the capability of introducing the risk of misuse and
inconvenience of administration. By their very nature, dedicated laboratories do not give
access to learners or users who are not physically present, and therefore fail to benefit the
group of learners who participate in distance education programmes. These among other
things, justify the move towards virtualisation technologies which this paper seeks to
explore.
3.2.3 Virtualisation Technology

In the effort to improve upon the use of dedicated computer laboratory in information
security education, researchers have being exploring the virtualisation technology, which
somehow overcome the challenges of dedicated computer laboratories. Nabhen & Maziero
(2006) for instance, acknowledged the importance of virtual machine as a vital tool in the
learning process, and therefore employed the technology in the teaching of computer
20
network. The authors demonstrated in their work how virtual machines could be used to
effectively and efficiently teach computer networks concepts such as IPSec, Firwalls,
network services and other important network concepts. Timóteo (n.d.) also explored
virtualisation technology in the teaching of information security. This work concentrated on
the learning of configuration, testing and traffic verification of different QoS configurations.
The arguably popular IWAR laboratory (Lathrop, et al 2003) also deployed the technology
of virtual machines in the Information Assurance Network laboratory, which was used in the
teaching and learning of firewall concepts from defensive standpoint. Probably, the different
thing this research work did was to put the virtual machine in between the internal and the
external networks and configured Iptable on it to protect the internal network from attack
from external network.
Other researchers who made use of virtualisation technology include Damiani, et al. (2006),
who implemented a virtual laboratory which offered network security students at the
University of Milan a complete training environment accessible through the web from web
browser; Hu, et al. (2006) that designed the Tele-Lab IT-Security architecture that allows
students to learn IT security principles as well as gain hands-on security experience by
exercise in a virtualised laboratory environment; and Dobrilovic & Odadžic (2006) who
demonstrated the use of virtualisation technology in teaching computer networks.
The table below throws more light on the various factors that went into the selection of the
literature for this work.
21
Research Use of Information Use of Work done Use of purpose of

Work Netfilter Security virtualisatio in web work
/ Iptable Education n Conventional server
? Laboratory? technology? Laboratory? ?
Chen et ✔ ✔ ✔ Improve
al. (2010) performance
of network
applications
Aboutabl ✔ ✔ Info security

(2006) through
pedagogical
modules
Nabhen & ✔ ✔ ✔ ✔ Highlighting

Maziero the benefits of
(2006) virtual
machines for
the
pedagogical
practice
Kretzer & ✔ ✔ ✔ Teaching

Frank firewall rules
(2005) and IDSs
through lab
exercises
Kumar et ✔ ✔ Increasing the

al (2010) efficiency of
IDSs
Accardi et ✔ ✔ Improve the

al, (2005) performance
of netfilter
with network
processor
resident
firewall
Brink et al ✔ ✔
(2003)
Glumich ✔ ✔ ✔ Developing
& Kropa cyber defense
(2012) skills in
students
through cyber
security
exercises
22
Hu J. et al ✔ ✔ ✔ Implementing
(2006) hands-on
security lab
on the
Internet
Dobrilovi ✔ ✔ ✔ ✔ Teaching
c & computer
Odadžic networks
(2006) through
virtualisation
technology
Damiani, ✔ ✔ Teaching IT
E et al via virtual
(2006) labs
Timóteo ✔ ✔ ✔ Teaching &

(n.d.) learning of
QoS via
virtual labs
Lathrop, ✔ ✔ ✔ Imroving Info

et al security
(2003) education labs
O‟Leary, ✔ ✔ ✔ ✔ Teaching
M. (2006) computer
security
Table 1: Factors that informed the choice of literature
Clearly, there has been a lot of work on Netfilter/Iptable. Some of the works just described
how the Linux firewall works; others described how it can be used for network security
purposes. One thing that runs through most of the works is that not enough time and space
has been allotted for the study of Netfilter/Iptable. In other words, in most the works or
studies, Netfilter/Iptable was not the main subject of interest or study. It was treated as part
of a whole lot of security tools. In our view, this would have created some gaps in the study
of Netfilter/Iptable as a security tool in securing information systems.
Again, most of the works in which Netfilter/Iptable was investigated or described were not
primarily information security education studies. This has made our work which seeks to
23
demonstrate the use of Netfilter/Iptable in securing web servers in an information security
education in a virtualised environment relevant and necessary.
Now, regarding the specific gap that our work seeks to address, we make reference to the
work done by Aboutabl (2006); Kretzer & Frank (2005); Glumich & Kropa (2012); Hu J. et
al (2006); Dobrilovic & Odadžic (2006); Timóteo (n.d.); and Lathrop, et al (2003). All these
researchers made use of Iptables in their virtual laboratories for the teaching and learning of
information security. However, these virtual laboratories are instructor dependent, to the
extent that majority of students, particularly beginners, will have to depend on instructors in
order to use the systems. What our work sought to improve regarding this issue was to
somewhat remove this bottleneck. In our work, students do not necessarily need instructors
to follow our guidelines, though the instructors are the key stakeholders of the system we
designed. All that the students need is a virtual machine with the required/necessary security
tools, and they will learn on their own.
More specifically, the Tele-Lab IT Security (Hu & Meinel, 2004), a web based information
security training system, developed at the University of Trier, Germany, attempts to
integrate a security laboratory on the Internet using a well-managed virtual machines which
allowed users to gain practical knowledge of security technologies and tools in a reliable and
secure way.
Our work is similar to the Tele-Lab (Hu & Meinel, 2004) in some respects. The Tele-Lab
used virtualisation technology. In the Tele-Lab Netfilter was installed on the host (web
server) to control traffic. The Tele-Lab presented a security training architecture which
implements a security laboratory on the web. It offers users a real working environment – a
Linux virtual machine – instead of a simulation environment.
However, its focus is on the security tools only. In addition to the security tools our work
has made it possible for users to learn about the attack tools: how they work and how they
24
can be used to learn about the vulnerabilities of a system. This gives the user a broader
perspective on the security issues. Aside this, we tried to make our work simple.
25
CHAPTER FOUR
4.0 Methodology
4.1 Technology Analysis
The research is focused on analysing technology to obtain results for the research question
stated above. In furtherance of this, we reviewed all possible literature available to
determine how stated technologies help to defend the web server. The literature review
covered web servers, virtual laboratories, Netfilter/Iptables, and information security
education. The databases used in the review were Google Scholar, IEEE and ACM.
Empirically, we configured the Netfilter/Iptable firewall on the server to observe attacks that
will go through the protection offered by the service provider. The program most commonly
used to provide a firewall on a Linux computer is Iptables, which is part of the packet
filtering framework inside the Linux 2.4.x and 2.6.x kernel series produced by the
Netfilter.org project.
We considered the methodology of design research in this study. Design research is
fundamentally about “the analysis of the use and performance of designed artifacts to
understand, explain and very frequently to improve on the behaviour of aspects of
information systems” (Vaishnavi & Kuechler, 2004). It is about the creation of information
technology artifacts with the aim to solving identified problems, to make research
contributions, and also to communicate the results to appropriate audiences. Another critical
component of the design research is the design evaluation - the rigorous demonstration of
the utility, quality, efficacy of the designed artifacts by means of well-executed evaluation
methods (Hevner & Chatterjee, 2010).
We have adopted and followed largely the following guidelines for design research
methodology by Hevner et al (2004).
26
Guideline 1: Design as an Artifact: Design-science research must produce a viable artifact
in the form of a construct, a model, a method, or an instantiation.
Guideline 2: Problem Relevance: The objective of design-science research is to develop
technology-based solutions to important and relevant business problems.
Guideline 3: Design Evaluation: The utility, quality, and efficacy of a design artifact must
be rigorously demonstrated via well-executed evaluation methods
Guideline 4: Research Contributions: Effective design-science research must provide
clear and verifiable contributions in the areas of the design artifact, design foundations,
and/or design methodologies.
Guideline 5: Research Rigor: Design-science research relies upon the application of
rigorous methods in both the construction and evaluation of the design artifact.
Guideline 6: Design as a Search: The search for an effective artifact requires utilizing
available means to reach desired ends while satisfying laws in the problem environment.
Guideline 7: Communication of Research: Design-science research must be presented
effectively both to technology-oriented as well as management-oriented audiences.
In this work we designed an information security artifact, which is the online laboratory that
would be used to teach information security. This is necessitated by what we have identified
as inadequate acquisition of practical knowledge during information security training due to
the methods used for the training. The work has therefore developed a system that can
enhance the practical knowledge of the trainees. The system could be evaluated through use
of attack-defense tools.
27
The following steps proposed by Yin (2003), enhanced data collection:
● Access to the organization (LTU)
In this case, we made use of the InfoSec Lab set up by the University (LTU). The
University set up a virtual lab for the purposes of information security education which we
used for our work.
● Access to some employees (Lecturers) and students.
4.2 Technical Requirements and Architecture
For this work, what is needed is a Linux server powerful enough to handle virtual machines
for all the members of a course in information security education. As can be seen from the
physical topology of the lab under chapter four, we used Linux VMware ESXI 5 VM
Console. We configured two virtual machines on this platform for the work. And these are
Ubuntu Server which serves as the host and Windows 7 machine which we used as client.
We used the client to attack the host which hosts the web server.
The other tools we used included metasploit and Nmap/Zenmap. Metasploit is a hacking
tool designed to facilitate system exploitation. Metasploit has both GUI version and
command prompt version with most features accessible through the GUI interface while the
command line can be used to access all features. Nmap was used to learn about the server.
28
CHAPTER FIVE
5.0 Implementation and Analysis of Lab
Presently, the most frequently applied technology by firewall is of three main kinds namely:
stateful inspection firewall, packets filtrating firewall and application gateway firewall. Of
these the stateful inspection firewall combines the merits of packets filtrating firewall and
the application gateway firewall which makes it the main technology of firewall products
today. The traditional packets filtrating technology determines whether data flow passes or
not only by inspecting the related information of the head of IP packet, whereas the stateful
inspection technology adopts a kind of stateful inspection mechanism based on connection
and treats all the packets which belong to the same connection as an integral data flow
(Zhang, et al., u.d.). In this research the following tools were used : iptables/netfilter, nmap
and zenmap, metasploit and nexpose.
The Ubuntu Server comes with a default firewall configuration known as ufw. The ufw
makes it easy to configure iptables firewall providing a user friendly way to create both an
IPv4 and IPv6 host-based firewall. However, the ufw does not provide a complete firewall
functionality through its command interface but rather, it creates room for updating firewall
rules easily. At the time of this study, it was mainly used for host-based firewalls in most
systems. The table below shows the use of ufw rules and corresponding actions:
29
Rule Action
sudo ufw enable ufw is enabled
sudo ufw allow 22 open a port (ssh in this example)
sudo ufw deny 22 close an opened port (ssh in this example)
sudo ufw delete deny 22 remove a rule (ssh in this example)
sudo ufw allow proto tcp from allow access from specific host or networks to a
192.168.0.2 to any port 22 port. (ssh in this example)
sudo ufw disable ufw is disabled
sudo ufw status to see the firewall status
sudo ufw status verbose to see a more verbose status information
sudo ufw status numbered to see the numbered format
Table 2: Default Ubuntu Firewall, UFW commands and actions.
5.1 Design of Lab and Settings
We conducted the research in a virtual environment provided by Luleå University of
Technology which involves the MSc InfoSec Server (nested virtualization support) with the
following specifications made available to us. Following are the features of the server.
Processor
Quad-core processor in the family, Intel ® Xeon ® E3-1200
dual core processor in the family, the Intel Core ™ i3-2100
dual core processor in the series Intel ® G600 and G800
dual core processor in the series Intel Celeron ® G400 and G500
Operating Systems (OS)
Microsoft ® Windows ® Small Business Server 2011
Microsoft ® Windows ® Small Business Server 2008,
Microsoft ® Windows Server ® 2008 R2 Foundation SP1
Microsoft ® Windows Server ® 2008 SP2, x86/x64 (x64 includes Hyper-V ®)
Microsoft ® Windows Server ® 2008 R2 SP1 x64 (includes Hyper-V v2)
Microsoft ® Windows ® HPC Server 2008
30
Novell ® SUSE ® Linux ® Enterprise Server,
Red Hat ® Enterprise Linux ®
Memory
Up to 32 GB (4 DIMM slots) 1, 2, 4, 8 GB DDR3 up to 1333 MHz
Storage
Options for wired hard disks: 2.5-inch SATA SSD, SAS (10 000 r / min) 3.5 SAS (15 000 r / min),
Near Line SAS (7200 r / min), SATA (5400 r / min , 7200 r / min) Maximum internal storage:
Up to 6 TB.
Network Controller
A Broadcom BCM 5716 dual-port
Communications
Broadcom ® NetXtreme ™ 5709 Gigabit Ethernet NIC Dual Port, copper, TOE, PCIe
x4
Broadcom ® NetXtreme ® 5 709 Gigabit Ethernet NIC Dual Port, copper, TOE / ISCI
PCIe x4
Broadcom ® NetXtreme ® II 5709 Gigabit Ethernet NIC four-port, copper, TOE / ISCI
x4 PCIe
GbE adapter from Intel dual port Gigabit Ethernet NIC, PCIe x4
GbE adapter from Intel with four ports, Gigabit Ethernet NIC, PCIe x4
31
Physical Lab Design
Figure 1: Physical Topology of Lab.
5.3 Our Work
Our work was primarily performed in the Linux VMware ESXI 5 VM Console. In the
console, we used two virtual machines namely: Ubuntu Server (host) and windows 7
(client). These machines were installed with the help of Prof. Todd Booth.
5.3.1 Implementation on the Ubuntu Server (Host)
The following are the specifications of the Ubuntu server (used) as shown in the diagram
below:
32
Figure 1: Ubuntu Web Server Configuration
The Ubuntu Server requires administrative credentials such as login username and
password. These credentials enable limited access control into the server. We then installed
the Apache Web Server by typing in the command sudo apt-get install apache2 in the
command line front. The Netfilter/IPtables firewall was then deployed.
5.3.1.1 Iptables User Interface
We need to clarify the use of some concepts here. First of all, Iptables sometimes denote a
group of tables with set rules in an organized form. But in this research, the term Iptables
refer to the software running in the user-interface which is not specialized.
Iptables are powerful tools that enable a user to append, replace, delete and outline the rules
for your firewall within your system. To list all rules and chains type [iptable -L]. If there
are still any set of rules, flush them by typing [iptables -F] or [iptables --flush]. The default
rules together with existing rules then gets cleaned -up. Your system is widely open now
with no firewall protection. To add rules, add the ports/protocols/services you want to allow
33
first. Then add a „‟CATCH-ALL‟‟ rule which will automatically REJECT or DROP any
other packets which is not using the protocols and ports specified at the bottom. The
„‟CATCH ALL‟‟ rule should also be placed at the bottom of all rules in order to be
evaluated last. However, if you select create new rule allowing a different port after you
have successfully created your CATCH-ALL rule, remove the CATCH-ALL rule by typing
[iptables -D INPUT Line#] and thereafter add the new rule by typing [iptables -A INPUT
etc]. You now have to add the CATCH-ALL rule back again at the end by typing [iptables -
A INPUT etc]. In cases where there are multiple NIC cards, remember to specify the
interface you want to set the rule by typing [-i eth0] or [-i eth1]. A rule can also be added to
allow HTTP traffic for an Apache web server over port 80: type [iptables -A INPUT -j
ACCEPT -p tcp --destination-port 80 -i eth0]. In cases where you want to allow FTP traffic
for VSFTPD over port 21 type [iptables -A INPUT -j ACCEPT -p tcp --destination-port 21 -
i eth0]. Some of the rules are summarised below:
RULE ACTION
iptables -A INPUT -j DROP -p tcp -i add a CATCHALL rule to block any other
eth0 traffic not specified
iptables -A INPUT -j ACCEPT -p tcp -- allow telnet while still blocking any other ports
destination-port 23 -i eth0
iptables -D INPUT 3 deletes the third rule
iptables -P FORWARD DROP drops forwarded packets by default
iptables -A FORWARD -s accept or forward only packets originating from

192.168.20.0/24 -j ACCEPT the ip 192.168.20.x network
iptables -A OUTPUT -s 0.0.0.0/24 -d block all HTTP

0.0.0.0/24 -p 80 -j DROP
iptables -A OUTPUT -s 0.0.0.0/24 -d block everything

0.0.0.0/24 -p ALL- j DROP
34
Table 3: IPTABLE rules and actions
Figure 2: Default Ubuntu Server Configuration
Figure 3 shows the default settings of the Ubuntu Server. There are three types of built-in
CHAINS: INPUT, FORWARD and OUTPUT. INPUT determines which packets are
allowed into the computer whiles FORWARD determines which packets pass through the
computer provided there is a router and OUTPUT determines which packets are allowed to
leave the computer in use. For a Linux Web Server, two ports such as port 80 and port 22
were opened to allow traffic of packets into the computer system. The CATCH ALL rule
indicates that no other traffic would be allow into the system apart from port 80 and 22 as
shown below in figure 4:
35
Figure 3: Port 80 and 22 Opened
For every web server, two main ports that need to be accessible involves the http and ssh
ports. These ports were opened to allow incoming traffic or packets whiles all other packets
are denied access to the server (See figure 4).
5.3.2 Implementation on Windows 7 (client) computer
The diagram below shows the specifications used on the client computer:
Figure 4: Windows 7 client Configuration
36
5.3.2.1 Nmap/Zenmap
Nmap is the short form of Network Mapper, a security scanner used to discover hosts and
services on a computer network. One important thing about Nmap is that it is a free open
source network mapping security tool available to most Linux „‟distros‟‟ such as Ubuntu and
Fedora. Zenmap is simply Nmap for windows. It performs several network scanning with
security testing functions such as ping sweeps, port scans, spoofing IP addresses and
covertly gathering intelligence on particular network. Ping Sweeps involve utilizing ICMP
to systematically go up and down available hosts IDs in a particular network subnet with
each host returning an echo reply enumerated and used in further exploits once that host has
been discovered. Port Scans involve probing up and down open ports on hosts that have
been identified by a ping sweep. Once a port is identified opened, different exploit can be
leveraged against it. The opened port indicates that the services it provides and the protocols
it allows through its firewalls and filters reveals particular vulnerabilities that apply to the
port. Performing ping sweeps and port scans generates signature that can trigger the alarm
on a network‟s Intrusion Detection System (IDS). Nmap can help spoof the IP address of a
trusted server or workstation on the network through custom packet-crafting the source field
data to avoid the alarm going off. And also, it can impersonate a trusted client so as not to
set off the alarm or arouse suspicions. Apart from all these tasks, Network mapper can also
reveal the operating system of a particular host by analysing it to see if it conforms to certain
signatures that match pre-defined profiles. In summary, Nmap helps you test, audit and
harden your network. It is normally used together with many other tools like Wireshark,
snort, netcat, cain and abel, maual techniques such as banner grabbing.
37
Figure 5: Ping Sweep Results
The Ping Sweep scan result shows the number of all devices in the Information security Lab
with their IP addresses. The result also helps to identify Server(s) and Client devices. The
result from the scan shows that the IP address 192.168.200.114 is a server. The results also
shows MAC addresses of all devices in the lab.
38
Figure 6: Entire Port Scan on the Network
The entire port scan shows all opened ports together with their filter services as shown in
Figure 7.
39
Figure 7: Stealth Port Scan
The stealth port scan enables you to close all ports except for those you want to allow. In our
case, we allowed both ssh and http due to the fact that we all working with a web server.
This is shown in Figure 8 above.
5.3.2.2 Metasploit Framework

It is a free hacking framework open source penetration test solution designed to aid make
writing and executing exploits in a simple way. It saves time and effort of writing executable
codes. For these reason, we decided to use metasploit in this research work. You can
download free Metasploit from http://www.metasploit.com . Metasploit has both GUI
version and command prompt version with most features accessible through the GUI
interface while the command line can be used to access all features. It is however important
to note that before using metasploit, useful terms such as exploits, payload and vulnerability
scan are crucial to the success of an attack hence we discuss these briefly. Exploits are the
weaknesses that exist as a result of a vulnerability scan which enables an attacker to take
40
advantage of a system (Kennedy, et al., 2011). Kennedy, et al., (2011) defined Payload as a
code that the attacker wants the system to execute selected and delivered by the framework.
„‟Vulnerability scanners are automated tools used to identify security flaws affecting a given
system or application „‟(Kennedy, et al., 2011). We used nexpose, a vulnerability scanner, a
product from the same company that made metasploit to scan the system for loop holes.
Nexpose is better with metasploit since it validates exploitability and verifies remediation.
We used NeXpose because it ensured that
100% scan of the server was performed
real risk exposure is accurately understood
vulnerabilities are prioritized faster and
vulnerabilities are remediated.
Figure 8: NeXpose Vulnerability Scan Result
NeXpose vulnerability scan of the Ubuntu Linux Server shows that four(4) vulnerabilities in
49 seconds. We then use metasploit to penetrate system through these weaknesses found.
41
5.3.3 A FRAMEWORK FOR DESIGNING SECURITY PROJECTS

We have also designed a framework for various information security projects. The
framework involves implementing and evaluating projects and has the following
components:
Objectives: The aims/goals for the project and the learning opportunities.
Tools: The tools necessary for the implementation a specific project.
Expectations: A complete description of the problem and what is required of a
student to complete the task.
Problem Description: A complete description of the problem is necessary and
must be more specific. The assignment should address issues like: Will it
involve programming? Is it a study experiment? Thus it requires prior
knowledge of any sort?
Implementation in the security lab: This concerns the infrastructure necessary
for a project to be implemented. Questions such as „‟Is the network topology
subject to changes?‟‟ and „‟What can kind of resources are available to the
student to implement it?‟‟ are to be addressed.
Level of difficulty: Project level of difficulties thus Beginner, Intermediate or
Expert.
Criteria for grading: The criteria for grading the projects and the approaches
investigated by the Lecturer or teacher are subjective. Thus either PASS or
INCOMPLETE.
5.3.3.1 Project A: Network Vulnerabilities

Objective: In this project, you will use nmap to identify vulnerabilities on both
the Ubuntu Web Server and windows 7. Students can work in groups of two.
It is advisable that as one student implements iptables/netfilter firewall the
other student uses nmap tool to discover all available ports opened or closed.
42
Tools: Nmap (free open source utility).
Expectations: Students are expected to learn how to install Nmap and address
these questions, “What is the main purpose for using nmap? What can you do
with nmap and how?‟‟
Problem Description: This project is both study experiment and network
assignment.
Implementation in the Security lab: The project requires updating IPtables on a
virtual security lab provided by the university including security tool, nmap.
Level of difficulty: This project is for beginners.
Criteria for grading: The teacher or TA can use nmap to check if the results
will be the same as that of students. Hence, PASS or INCOMPLETE
(unsatisfactory results).
5.3.4 Results and Analysis

The results of our work can be put into groups consisting of vulnerabilities and penetration
test results. After configuring the Iptables/netfilter firewall on the Linux Ubuntu Web Server
five (5) weaknesses were discovered after several scans at different times. This was done to
ascertain the true existing weaknesses students are likely to observe on the web server. The
scan showed the following weaknesses:
43
Figure 9: Vulnerability Listing

Of the five weaknesses found, three of them were rated severe and exposing the web server
to about 1270 (559+521+190) different kinds of risks. Two of the severe ones were found on
port 80 which was left opened to allow web communication. This can be observed in the
diagram below:
Figure 10: Service Listing
From the figure titled „‟service listing‟‟, port 22 (ssh) recorded zero vulnerabilities.
The vulnerabilities were then imported into metasploit in order to exploit them. This is
shown below:
Figure 11: Metasploit Import from NeXpose
Metasploit was then used to ascertain if those vulnerabilities really exist on the host system
by typing the command hosts to identify the host on which the server is running. The
command vulns displayed a detail description of the vulnerabilities found. This is shown in
the diagram below:
44
Figure 12: Metasploit vulnerabilities List
45
CHAPTER SIX
6.0 Discussion and Conclusion
In this paper we have demonstrated how to use IPtables firewall in securing a web server.
Using Linux netfilter, running on a high performance processor, we were able to
successfully exploit the server to collect vulnerabilities. Kretzer, J., & Frank, C. E. (2005)
used iptables to set-up firewall in SmoothWall to forward and drop packets in an iptable lab.
SmoothWall is a GNU general public license Linux based firewall with minimal hardware
requirements. But this was done in physical lab.
This research aimed at outlining the steps one could use to secure a Linux Web Server as
part of information security experiment in a virtual Lab. The virtual environment makes it
necessary for both online students and campus students to perform this experiment on their
way to becoming future security experts. We used simple graphical user interface (GUI)
which are free to download to configure, implement, penetrate, scan and analyse in the
research. However, some of the tools used required command prompt interface in
configuration. The tools used are nmap/zenmap, nexpose, metasploit and iptable/netfilter in
a virtual environment. The theoretical framework and literature provided the bases of the
research to be carried out using virtualisation technology. Nabhen & Maziero (2006) for
instance, use virtual machines to provide a platform for the teaching of computer networks
concepts such as IPSec, Firwalls, network services and other important network concepts.
Timóteo (n.d.) also made extensive use of virtualisation technology to promote the teaching
and learning of configuration, testing and traffic verification of different QoS configurations.
The popular IWAR laboratory (Lathrop, et al 2003), the Tele-Lab IT-Security (Hu, et al.,
2006), and other works done by researchers such as Damiani, et al. (2006), Dobrilovic &
Odadžic (2006), all laid the foundation for virtualisation technology in information security
education. The Tele-Lab IT Security (Hu & Meinel, 2004), a web based information security
46
training system, developed at the University of Trier, Germany, attempts to integrate a
security laboratory on the Internet using a well-managed virtual machines which allowed
users to gain practical knowledge of security technologies and tools in a reliable and secure
way.
Our work is similar to the Tele-Lab (Hu & Meinel, 2004) in some respects. The Tele-Lab
used virtualisation technology. In the Tele-Lab Netfilter was installed on the host (web
server) to control traffic. The Tele-Lab presented a security training architecture which
implements a security laboratory on the web. It offers users a real working environment – a
Linux virtual machine – instead of a simulation environment.
However, its focus is on the security tools only. In addition to the security tools our work
has made it possible for users to learn about the attack tools: how they work and how they
can be used to learn about the vulnerabilities of a system. This gives the user a broader
perspective on the security issues. Aside this, we tried to make our work simple.
Unlike the Tele-Lab, we used two virtual machines namely; Ubuntu Web Server (Host) and
Windows 7 (client). Iptables/netfilter were deployed on the host as a firewall software
whiles nexpose, metasploit and nmap/zenmap were deployed on the client. Attacks were
then launched against the host using the client. The virtual environment makes it safe for
students to perform all kinds of attack since no genuine/real physical device or file would be
compromised. This is a perfect environment for learning security experiments. In this
environment, we answered the research question and thereby realised the objective of the
work: How students can secure the Linux web server via the Linux netfilter/iptable firewall
in a virtualized environment?
We have established from the work that to secure the Ubuntu Web Server in a virtual
environment using Iptables firewall it is important to first keep Ubuntu updated by issuing
the command apt-get update. Ubuntu should also be upgraded to the newest version with the
command apt-get upgrade. These commands will patch all weaknesses or vulnerabilities
47
detected by the vendor as you connect to the Internet. In configuring the Iptables it
important to FLUSH all existing default policies before beginning your script. Only open
necessary ports based on the functions of the server (port 22 and 80 for Web Server in our
case). Use the INPUT rule to allow incoming traffic while using the CATCH-ALL to drop
all other traffic. These are rules that allow traffic and deny any other. How does the Iptables
work? The Iptables/netfilter rules perform its work based on the TCP protocols handshake.
In cases where a device is connected remotely to the Web Server, a SYN message is sent
and generally acknowledged with SYN-ACK between the server and the client. Once the
client receives the ACK message then a network connection is established.
In securing the server with the IPtables firewall, the following steps were taken:
Open the root terminal by typing iptables-L. This allows you to see the nature and
settings of your firewall. You should see INPUT (anything coming into the PC),
FORWARD (on a network for viewing traffic to and from the PC) and OUTPUT
(anything coming out of your PC). Ignore ordinary terminal.
Type iptables -A INPUT -i lo -j ACCEPT. This rule will allow you to add to INPUT
chain to accept loopback. Loopback refers to activities within your computer through
iptables.
Type iptables -A INPUT -m s tate --state ESTABLISHED,RELATED -j ACCEPT.
This rule will allow INPUT chain to accept anything established or related. „‟-m
state‟‟ refres to matching the state and the established or related ones.
Now add a rule to the INPUT chain to accept any TCP protocol packets from the port
80. This can be done with the command iptables -A INPUT -p tcp --sport 80 -j
ACCEPT.
Type iptables -A INPUT -p udp --sport 53 -j ACCEPT to add a rule to the CHAIN
rule to allow udp protocol packets from port 53.
48
The iptables must always end with a rule to drop any other packets. This is done by
adding to the INPUT chain the command iptables -A INPUT -j DROP.
6.1 Future Work
Following the research/investigations described in this thesis, several projects could be taken
up, involving more attacking tools. Use:
Acunetix Web Security Scanner and Maltego in launching various attacks against the
Linux Web Server.
Netfilter/Iptable is great firewall software that can help improve security in a student-base
experimental lab virtually. In our research, the Iptables stood resolute against the attack
tools. It would be interesting and extremely challenging as we research into how the firewall
this time can prevent these tools from collecting any kind of data. We will not advice the use
of multiple firewalls since it could slow down traffic or communications.
49
References
Accardi, K., Bock, T., Hady, F., & Krueger, J. (2005). Network Processor Acceleration for a
Linux * Netfilter Firewall. Memory, 115-123.
Brink, P., Castelino, M., Meng, D., Rawal, C., Tadepalli, H. (2003). Network Processing
Performance Metrics for IA- and NPBased Systems. Intel Technology Journal, 7(4), pp.78-
91.
Creasy R. J., (1981). The Origin of the VM/370 Time-Sharing System, IBM Journal of
Research and Development, vol. 25, no. 5, pp483–490.
Damiani, E. (2006). The open source virtual lab: A Case study. … on Free and Open Source
…, Retrieved from
http://cdlonline.dti.unimi.it/pdf/TheOpenSourceVirtualLabACaseStudy.pdf
Denzin, N. and Lincoln, Y.S. (1994). Handbook of qualitative research. London, UK: Sage
Publications
Dobrilović, D., & Odadžić, B. (2006). Virtualization Technology as a Tool for Teaching
Computer Networks. … of Science, Engineering and Technology, 138-142. Retrieved from
http://www.waset.ac.nz/journals/ijhss/v1/v1-2-19.pdf
Duignan, S. & Hall, T. (2008). Using Platform Virtualisation to Teach System Architectures
in Undergraduate Computer Science–An Evaluation of Student Learning Experiences.
Innovative Techniques in Instruction Technology, E-learning, E-assesment, and Education,
479-484. Springer.
Gerring, J. (2007). Case study research: principles and practices. Cambridge University
Press, Cambridge.
Giuseppe Carnevali & Giorgio Buttazzo (2003). A Virtual laboratory Environment For
Real-Time Experiments. Proceedings of the 5th IFAC International Symposium on
Intelligent Components and Instruments for Control Applications, Aveiro, Portugal, July 9-
11.
50
Goldberg R. P. (1974). Survey of virtual machine research, IEEE Computer Magazine, vol.
7, no. 6, pp 34–45.
Gregor N. Purdy (2004). Linux iptables Pocket Reference. O‟Reilly Media Inc, USA.
Haakon Bryhni et al. (2000). A Comparison of Load Balancing Techniques for Scalable
Web Servers.IEEE Network. pdf pg. 61.
Hevner, A. & Chatterjee, S. (2010). Design Research in Information Systems: Theory and
Practice. Springer,
Hevner, A. R., March, S.T., Park, J., & Ram, S., (2004). Design Science in Information
Systems Research, MIS Quarterly, Vol. 28, No. 1, pp. 75-105.
Hu J., Cordel D., and Meinel C. (2006). A Virtual Machine Architecture for Creating
ITSecurity Laboratories. Hasso Plattner Institut für Softwaresystemtechnik Technischer
Bericht. http://opus.kobv.de/ubp/volltexte/2009/3307/pdf/HPI_13.pdf
Hu, J., & Cordel, D. (2004). A virtual laboratory for IT security education. of the
Conference on Information Systems, 60-71. Retrieved from
http://subs.emis.de/LNI/Proceedings/Proceedings56/GI-Proceedings.56-5.pdf
Hu, J., Meinel C. (2004). Tele-Lab IT Security: A Means to Build Security Laboratories on
the Web. In Proceedings of The 18th International Conference on Advanced Information
Networking and Application (AINA), Fukuoka, Japan, pp. 285 - 288.
ITL Bulletin (September 1999). Securing Web Servers. Viewed online on 2012-07-16 at
http://csrc.nist.gov/publications/nistbul/09-99.pdf
Kennedy, D., O'Gorman, J., Kearns, D. & Aharoni, M., 2011. Metasploit: The Penetration
Tester's Guide. 1st red. San Francisco: William Pollock
Kretzer, J., & Frank, C. E. (2005). Network security laboratories using smoothwall *.
Sciences, New York, 41-49.
51
Kumar Abhinav, Chadha Kunal, Asawa Krishna. (2010). Framework for vulnerability
reduction in real time intrusion detection and prevention systems using SOM based IDS with
Netfilter-Iptables. Journal of Computer Science, 8(4), 229-233.
Lathrop, S. D., Conti, G. J., and Ragsdale, D. J. (2003). Information warfare in the trenches.
In Security education and critical infrastructures, pages 19-39. Kluwer Academic
Publishers.
Li, P. & Mohammed, T. (2008). Integration of Virtualization Technology into Network

Security Laboratory. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4720550
Li, P. (2010). Selecting and Using Virtualization Solutions - Our Experiences wth Vmware
and VirtualBox. The Journal of Computing Sciences in Colleges, 25/3, 11-17
Martin F. Arlitt & Carey L. Williamson (1997). Internet Web Servers: Workload
Characterization and Performance Implications. IEEE/ACM Transactions on Networking,
Vol 5, No. 5. pdf pg. 632.
Maung K. Sein, Ola Henfridsson, Sandeep Purao, Matti Rossi, Rikard Lindgren (2011).
Action Design Research, MIS Quarterly Vol. 35 No. 1 pp. 37-56
McCool, R., 2012. http://en.wikipedia.org/wiki/Apache_HTTP_Server. [Online] Available

at: http://en.wikipedia.org [Accessed 6 August 2012].
Mohamed S. Aboutabl (2006). The CyberDefense Laboratory: A Framework for

Information Security Education. Proceedings of the 2006 IEEE Workshop on Information
Assurance
Morales, L. & Dark , M., (2007). Information Security Education and Foundation Research.
s.l., IEEE.
Mou-Sen Chen, Ming-Yi Liao, Pang-Wei Tsai, Mon-Yen Luo, Chu-Sing Yang, and C.
Eugene Yeh (2010). Using NetFPGA to Offload Linux Netfilter Firewall, 2nd North
American NetFPGA Developers Workshop, Stanford, CA.
52
Mugdha Vairagade (2002). Introduction to Netfilter/Iptables: Configuring firewalls for

Linux (kernel 2.4.x) using netfilter/iptables.
http://www.ibm.com/developerworks/linux/library/s-netip/index.html
Nabhen, R., & Maziero, C. (2006). Some Experiences in Using Virtual Machines for
Teaching Computer Networks. Education for the 21st Century—Impact of ICT and ….
Retrieved from http://dl.ifip.org/index.php/AICT/article/view/22433
O‟Leary, M. (2006). A laboratory based capstone course in computer security for

undergraduates. Proceedings of the 37th SIGCSE technical symposium on Computer
science education - SIGCSE ’06, 2. New York, New York, USA: ACM Press.
Peffers, K., Tuunanen,T., Rothenberger, M. A., & Chatterjee, S., (2008) A Design Science
Research Methodology for Information Systems Research. Journal of Management
Information Systems, M.E. Sharpe, Inc., Vol. 24, No. 3, pp. 45–77.
Peter M. and Brian D. Noble, When Virtual Is Better Than Real. Department of Electrical
Engineering and Computer Science, University of Michigan. Pdf
Philip J Lunsford II, Erol Ozan, Lee Toderick, Tijjani Mohammed (2006). Development of
an Educational Data Acquisition System to Profile Cyber Attacks. Proceedings of The 2006
IJME - INTERTECH Conference
Reid, R., Niekerk, J. V. & Solms, R. V., 2011. Guidelines for the creation of brain-
compatible cyber security educational material in Moodle 2.0. u.o., IEEE.
Rose, R. (2004). Survey of System Virtualization Techniques.

http://ir.library.oregonstate.edu/xmlui/bitstream/handle/1957/9907/rose-
virtualization.pdf?sequence=1
Scheckler, R. K. (2003). Virtual labs: a substitute for traditional labs? The International
journal of developmental biology, 47(2-3), 231-6. Retrieved from
http://www.ncbi.nlm.nih.gov/pubmed/12705675
53
Simon Horman, (1998) "Creating Redundant Linux Servers", The 4th Annual Linux Expo,
May http://linux.zipworld.com.au/fake/
Sonja M. Glumich and Brian A. Kropa (2012). DefEX : Hands-On Cyber Defense Exercises
for Undergraduate Students. WorldCom 2011, Security and Management Session
Proceedings, Las Vegas.
Timóteo, R., Jr, D. S., Oliveira, A. C. V. D., Tsujiguchi, R., Pacheco, V. M., Abbas,C. J. B.,
& Puttini, R. S., (n.d.). A Virtual High-Speed Network Laboratory 1.
http://wirelessbrasil.org/wirelessbr/colaboradores/virtual_lab/virtual_lab.pdf
Wensong Zhang, (May 1998)"Linux Virtual Server Project",

http://proxy.iinchina.net/~wensong/ippfvs/,
Wensong Zhang, Linux Virtual Server for Scalable Network Services. National Laboratory
for Parallel & Distributed Processing, China. pdf.
Willems, C., & Meinel, C. (2008). Tele-lab it-security: an architecture for an online virtual it
security lab. International Journal of Online …, 2008. Retrieved from http://www.hpi.uni-
potsdam.de/fileadmin/hpi/FG_ITS/papers/Trust_and_Security_Engineering/2008_Willems_
VIRTUALLAB.pdf
Yee Han Cheang Terence, (2009). To test the system integration and pedagogical of a
Virtual Laboratory: Effective Evaluation. SIM university. pdf.
Yiming Hu et al, (1997). Measurement, Analysis and Performance Improvement of the

Apache Web Server. Dept. of Electrical and Computer Engineering, Univ. of Rhode Island.
pdf.
Yin, R. K. (2003). Case study research design and methods. Sage Publications, London.
Zhang, K., Wang, J. & Ren, D., u.d. A Matching Algorithm of Netfilter Connection Tracking
Based on IP flow. u.o.:u.n.
Zhong, B. & Huaqing, L., (2012). Design of A New Firewall Based on Netfilter. u.o., IEEE.
54

Securing The Linux Web Server Via 2012 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Securing The Linux Web Server Via 2012 PDF

Caricato da

Copyright:

Formati disponibili

MASTER'S THESIS

Securing the Linux Web Server via the

Andrews Narteh Tetteywayo

Master (120 credits)

Luleå University of Technology

Akpabi, Wonder Yao Stephen

Tetteywayo, Andrews Narteh

LULEÅ UNIVERSITY OF TECHNOLOGY

Information Security (MSc Information Security) degree at the Department of Computer

authors contributed equally to the success of this work.

technical support received from co-supervisor, Todd Booth.

Andrews Narteh Tetteywayo (ANT)

Wonder Akpabi Yao Stephen (WAYS),

CHAPTER ONE ...................................................................................................................... 1

1.0 Introduction ............................................................................................................... 1

1.1 Background Information ........................................................................................ 1

1.2 Netfiter/Iptable in Brief ......................................................................................... 3

1.3 Problem Statement ................................................................................................. 5

1.4 Purpose of and Scope of Study .............................................................................. 7

1.5 Research Question ................................................................................................. 8

1.6 Delimitations .......................................................................................................... 9

1.7 Structured of the Work .......................................................................................... 9

CHAPTER TWO ................................................................................................................... 11

2.0 Technological Concept ............................................................................................ 11

2.1 Virtualisation Technology ................................................................................... 11

2.2 Virtual Laboratory ............................................................................................... 12

2.3 Information Security Education ........................................................................... 13

2.4 Web Servers ......................................................................................................... 15

CHAPTER THREE ................................................................................................................ 17

3.0 Literature Review .................................................................................................... 17

3.1 Literature Review Process ................................................................................... 17

3.2 Related Work ....................................................................................................... 17

CHAPTER FOUR .................................................................................................................. 26

4.1 Technology Analysis ........................................................................................... 26

4.2 Technical Requirements and Architecture ........................................................... 28

CHAPTER FIVE .................................................................................................................... 29

5.0 Implementation and Analysis of Lab ...................................................................... 29

5.1 Design of Lab and Settings...................................................................................... 30

5.3 Our Work ................................................................................................................. 32

5.3.1 Implementation on the Ubuntu Server (Host) .................................................. 32

5.3.1.1 Iptables User Interface .................................................................................... 33

5.3.2 Implementation on Windows 7 (client) computer ........................................... 36

5.3.2.1 Nmap/Zenmap .................................................................................................. 37

5.3.2.2 Metasploit Framework ..................................................................................... 40

5.3.3 A FRAMEWORK FOR DESIGNING SECURITY PROJECTS .................... 42

5.3.4 Results and Analysis ........................................................................................ 43

CHAPTER SIX ...................................................................................................................... 46

6.0 Discussion and Conclusion...................................................................................... 46

6.1 Future Work............................................................................................................. 49

of Linux, the commonest firewall technique is the Netfilter/Iptable. In this work we

(particularly distance students) to practice information security anytime anywhere. To

firewall in securing the Linux web server (apache) in a virtualized environment.

concern of every organisation, regardless of size. This concern is compounded in a

virtualised environment. It is therefore crucial to apply all security techniques to secure

implementations usually employ some form of dedicated mechanism to control access

security engineers with network-level access control issues.

Firewall is one of the core components of a network security implementation. Several

protecting one PC to data centre solutions safeguarding vital enterprise information.

Firewalls can be stand-alone hardware solutions, such as firewall appliances by Cisco,

A common software firewall on Linux systems is Netfilter/Iptables. The Netfilter/Iptable

firewall in securing the Linux web server (apache) in a virtualized environment.

security teachers and students, particularly, distance students.

traditional course in information security, lab experiences are typically conducted in an